Results 1 to 10 of 63

Thread: honeypots .. any experience?

Hybrid View

  1. #1
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default honeypots .. any experience?

    I've been thinking about setting up one or two old computers as a little honeypot and was wondering if anyone here had any experience or could point me in the right direction.

    I know of several tools (honeywall, honeyd etc..) to use to get me started but I haven't managed to find any good information as to how to implement these and get started.

    So far I have a spare Lenovo T42, an old desktop computer and an ISP that gives me 5 public IP's but no knowledge :P

    So if anyone has any good links for me, articles, projects, wiki sites or whatever I would be grateful if you could post them

  2. #2
    Member
    Join Date
    Aug 2007
    Posts
    468

    Default

    Here is a pre-built VMWare Honeyd on Fedora 7 to get you started:

    http://www.vmware.com/appliances/directory/1231

    Also I know it not a honeypot but have a look at B.A.S.E & OSSIM, there was a long thrend on here about it ~3-4 months ago. They are IDS systems and you could place them infront of your Honey-pot system
    .
    Quote Originally Posted by cormega View Post
    I've been thinking about setting up one or two old computers as a little honeypot and was wondering if anyone here had any experience or could point me in the right direction.

    I know of several tools (honeywall, honeyd etc..) to use to get me started but I haven't managed to find any good information as to how to implement these and get started.

    So far I have a spare Lenovo T42, an old desktop computer and an ISP that gives me 5 public IP's but no knowledge :P

    So if anyone has any good links for me, articles, projects, wiki sites or whatever I would be grateful if you could post them

  3. #3
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thank you sir! that looks like just the thing i need right now!

    gonna check out the other things you mentioned too and give some feedback in this thread..

  4. #4
    Junior Member the_rooster's Avatar
    Join Date
    Apr 2008
    Posts
    25

    Default Use one box as a bridge

    I've had some experience setting up honeynets and the way i would suggest is to use one of your boxes as a bridge, with one nic going to the internet and the other going to a switch or directly to the other box you want to get hacked. This setup has several advantages:
    1. the bridge will be transparent and will have no ip, but traffic still has to go through Iptables. So you can still log all of the traffic with tcpdump, while at the same time hopefully remaining undetectable.
    2. You can egress filter on the outbound traffic. I limit the outbound traffic to about 1000 packets per day so that way after the honeypot box does get owned, it wont be used to DOS a children's hospital or something.

  5. #5
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by the_rooster View Post
    I've had some experience setting up honeynets and the way i would suggest is to use one of your boxes as a bridge, with one nic going to the internet and the other going to a switch or directly to the other box you want to get hacked. This setup has several advantages:
    1. the bridge will be transparent and will have no ip, but traffic still has to go through Iptables. So you can still log all of the traffic with tcpdump, while at the same time hopefully remaining undetectable.
    2. You can egress filter on the outbound traffic. I limit the outbound traffic to about 1000 packets per day so that way after the honeypot box does get owned, it wont be used to DOS a children's hospital or something.
    Yes, even better when you add a tap (search for 'snifdet' on this forum, and about half way through the post and on).
    dd if=/dev/swc666 of=/dev/wyze

  6. #6
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    thanks for a lot of helpful replies.. I'm looking forward to testing these things throughout the weekend..

    one quick question though, what would be the best set up for the "bridge" computer?

    can I just as well install any distro here or are there any reccomendations or distro's to avoid?

    EDIT: swc666, a 'snifdet' search returns no results, both with and without the quotes and when searching threads and topics througout the whole forum

    what am I doing wrong ?

  7. #7
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Thumbs up

    Quote Originally Posted by BOFH139 View Post
    Here is a pre-built VMWare Honeyd on Fedora 7 to get you started:

    http://www.vmware.com/appliances/directory/1231

    Also I know it not a honeypot but have a look at B.A.S.E & OSSIM, there was a long thrend on here about it ~3-4 months ago. They are IDS systems and you could place them infront of your Honey-pot system
    .
    By your mean of In-front indicate it as IPS system when it works In Inline mode but IDS can be placed anywhere cause they will get a copy of each packet destined for internal host.thus generating a alarm and taking action as request block or reset.based on action

  8. #8
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    OK, after to reading a book called Virtual Honeypots, I've somehow decided to start with a virtual honeypot :P

    I will launch this after 8 hours of sleep and a couple of hours more of work I will start of with a VM image of a Win 2000 machine and I will log all traffic and keystrokes on the machine. I will also limit outgoing traffic and block a lot of the common ports both incoming and outgoing to avoid worm traffic to and from the honeypot.

    Once online I will create a thread in this sub forum and post the status, results etc and keep this thread going when it comes to issues regarding the implementation and set-up of honeypots..

    I have also created a blog for this project: The HoneyProject which will also be used to post info about this and other honeynet projects I will start in the future... at first I wanted to create a website, but I decided that it would be too much work to create and maintain so I went the easy route and got myself a blogspot

  9. #9
    Senior Member lund99's Avatar
    Join Date
    Feb 2010
    Posts
    142

    Default

    OK, so my HDD totally crashed at the worst possible time last week (if you read my blog you can see a more detailed description of the incident there) and I haven't had the time to work any more on the project until now.

    On the other hand, though, Lance Spitzer from www.honeynet.org tipped me about their mailing list which I joined instantly and I have received a lot of useful tips from the users there already.

    Now my plan is to implement a complete honeynet on one machine using VMWare

    Since I got the W2K VM host all ready and installed, I need to install Honeywall as a VM on the same host machine, get the config right and hopefully I can get this thing up and running soon

    I have also made some minor changes on my blog, with links both to this forum and to the remote exploit main site to raise awareness about this community and the BackTrack distro.

  10. #10
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by cormega View Post
    OK, so my HDD totally crashed at the worst possible time last week (if you read my blog you can see a more detailed description of the incident there) and I haven't had the time to work any more on the project until now.

    On the other hand, though, Lance Spitzer from www.honeynet.org tipped me about their mailing list which I joined instantly and I have received a lot of useful tips from the users there already.

    Now my plan is to implement a complete honeynet on one machine using VMWare

    Since I got the W2K VM host all ready and installed, I need to install Honeywall as a VM on the same host machine, get the config right and hopefully I can get this thing up and running soon

    I have also made some minor changes on my blog, with links both to this forum and to the remote exploit main site to raise awareness about this community and the BackTrack distro.
    If you have a choice of OS to run as a VMware session for your honeypot, you should choose something like Win98 or WinME.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •